Tor Hidden Services

Why should clients get all the privacy? Give your servers some
privacy too!

When people write privacy guides, for the most part they are written from
the perspective of the client. Whether you are using HTTPS, blocking
tracking cookies or going so far as to browse the internet over Tor,
those privacy guides focus on helping end users protect themselves
from the potentially malicious and spying web. Since many people who
read Linux Journal sit on the other side of that equation—they run the
servers that host those privacy-defeating services—system administrators also
should step up and do their part to help user privacy. Although part of that just
means making sure your services support TLS, in this article, I describe
how to go one step further and make it possible for your
users to use your services completely anonymously via Tor hidden services.

How It Works

I'm not going to dive into the details of how Tor itself works
so you can use the web anonymously—for those details, check out
https://tor.eff.org. Tor hidden services work within the Tor network and
allow you to register an internal, Tor-only service that gets its own
.onion hostname. When visitors connect to the Tor network, Tor resolves
those .onion addresses and directs you to the anonymous service sitting
behind that name. Unlike with other services though, hidden services
provide two-way anonymity. The server doesn't know the IP of the client,
like with any service you access over Tor, but the client also doesn't
know the IP of the server. This provides the ultimate in privacy since
it's being protected on both sides.

Warnings and Planning

As with setting up a Tor node itself, some
planning is involved if you want to set up a Tor hidden service
so you don't defeat Tor's anonymity via some operational
mistake. There are a lot of rules both from an operational
and security standpoint, so I recommend you read this excellent

to find the latest best practices all in one place.

Without diving into all of those steps, I do want to list a few general-purpose
guidelines here. First, you'll want to make sure that whatever
service you are hosting is listening only on localhost ( and
isn't viewable via the regular internet. Otherwise, someone may be able
to correlate your hidden service with the public one. Next, go through
whatever service you are running and try to scrub specific identifying
information from it. That means if you are hosting a web service, modify
your web server so it doesn't report its software type or version, and
if you are running a dynamic site, make sure whatever web applications
you use don't report their versions either.


Read More here.